Krebs on Security

In-depth security news and investigation

Ruling Raises Stakes for Cyberheist Victims

A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases.

Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.

“It’s a good opinion for banks [and] it’s definitely more pro-bank than pro-consumer,” said Dan Mitchell, a lawyer who chairs the data security practice at Bernstein Shur in Portland, Maine. “The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm.

“The bank had asserted a counterclaim that the customer should pay the bank’s legal fees,” said Mitchell, who battled similar claims in which Patco — a Maine construction firm — successfully sued its bank over a $588,000 cyberheist. “There’s no other federal circuit court case other than Patco that has gotten up to that level. The appeals court said the bank can now pursue its legal fees against the customer. And that may end up being the important part of this opinion in the long run if [plaintiffs are] looking at not only have to pay their lawyers to pursue a loss but also those of the bank.”

Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said the appeals court decision means that indemnification is now the ‘law of the land’ in the 8th Circuit.

Castagnoli said she expects two results from this decision: that banks which don’t already have these clauses in their online banking agreements will add them; and that cyberheist victims will think more cautiously about bringing a lawsuit.

“This is the first time a court has ruled on fee shifting, and that will certainly have a chilling effect on litigation,” Castagnoli said.

This entry was posted on Monday, June 16th, 2014 at 12:01 am and is filed under Target: Small Businesses.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Any time you see the word “indemnify” in a contract, especially when dealing with an entity whose pockets are much deeper than your own, you should be very, very wary about signing. It can mean that even if they screw up, you have to pay.

“BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer.

The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.”

the customer chose the less secure option and suffered the consequences. the question (unanswered in this story) is, who let the ID and password fall into the hands of thieves?

if the bank allowed the user ID and password to be stolen, the customer should appeal.

if the customer failed to secure the user ID and password, they screwed up twice…

once when not accepting dual authentication, and again when they allowed the theft of their access credentials.

reminds of the story about the one attorney in a small rural town. He was going broke. Then a second attorney moved into town and they both got rich.

but this case seems like it’s about one of their clients being lazy and careless and then trying to use a lawyer to make the bank responsible for the consequences. Not sure that can be blamed on the lawyers, unfortunately that’s the basis of our legal (not to be confused with justice) system.

They state of security today is horrible. Banks should be fully liable for the losses as they know better than anyone that none of this is secure and has been insecure since 20 years ago when online commerce scaled. Credit card companies also know the lack of security, however, since the merchant absorbs the losses they could care less.
It’s much cheaper for them when people transact online so they keep the lack of security hush hush and try to pawn off the losses where they can.
This ruling (if it actually gets coverage) will only hurt consumer confidence and trust, but in my opinion that is great. Internet was never meant for commerce or secure communications, it is a sharing medium not a secrecy medium.

Steve maybe banks should go back to what they did 10 years ago, fax in wire requests, before the customers demanded all these online services. The security is in place but the customers choose not to use it because it is to much trouble and when they take a loss they do want to be accountable for their actions. I am glad this ruling came down now customers may start paying attention to banks when they tell them what the best practices are to keep their money secure.

This view that it is the banks’ responsibility does not take into account several things, not least of which is that forcing the banks to cover losses removes any incentive for customers to protect themselves.

In addition, there are many things of which the bank has no control in the security environment. How the computers are used besides online banking, for instance. What the network architecture is like at the end-user’s place of business, what security layers they have in place that are not provided by the bank, and whether they will decide to hook into an unsecured wireless network while traveling are all factors beyond the bank’s control that, if the bank is held responsible for all losses, could cost the bank millions.

It’s easy to vilify the banks when you are focused on the largest financial institutions, but a half-million dollar loss can do serious damage to a small community bank’s capital position. The end result of something like this could be that smaller banks fail more often and larger banks get to gobble them up, creating an even more lopsided banking environment.

The responsibility to protect the consumer accounts is shared. Where the line of negligence is drawn will ultimately be up to the courts, and it will always be a moving target. That’s why the FFIEC calls it “commercially reasonable”. It depends a great deal on what technology is available and cost-effective at the time.

If the customer in this case had opted for the dual control and still lost the money, you’d also have an entirely different case on your hands. At that point, it becomes about what security the bank offers, not what security the customer accepted. Because they turned down additional security, I believe they should be at fault. If the customer does not do everything in their power to protect their own account, they should be liable for their own losses if the bank can demonstrate that any security measures that were “Opted out” would have marginally increased the difficulty of malfeasance.

After all, the hackers always go for the lowest hanging fruit. It is the job of the customer and the bank to ensure that they are not that fruit.

There’s a way to split the responsibility:
– the first time a wire transfer is made to an account the transaction should require a confirmation. This would be either a phone call with a preset passphrase unique to each customer, or a fax with a different unique passphrase and a verifiable signature coming from an approved fax number.
– subsequent wire transfers to an account could be initiated online without such verification.

Any unauthorized wire transfers that are initiated online incur a penalty. After two such unauthorized transactions the bank can cancel the customer’s ability to initiate wire transfers online. Any future wire transfers would have to be done via fax with a confirmation phone call.

This puts the responsibility of preventing transfers to new accounts on the bank, but penalizes the customer (via inconvenience) for poor security.

I see the sense in this approach, but it doesn’t truly split the difference. Most banks will verify the first wires sent from a company, as they are truly anomalous activity, and will need to be verified through an out-of-band method.

I don’t have a better approach, so I can’t really criticize too much, but it seems as though this solution would primarily serve to codify that the banks are not responsible for a compromise after the first transaction.

However, the first transaction will be the one where the customer’s information is compromised by malware. Up until the customer actually completes an online transaction, the miscreants won’t have all the info they need to complete a wire online.

I think that the banks need to draw a harder line with their clients about security, including reviewing the customer’s security protocols for minimum requirements based on cash availability in their accounts.

Risk-rating your customers is part of the process of approving them for the ability to move money via ACH or wires. Why not assign them to a risk tier based on expected activity, and using that tier system set minimum security requirements necessary for performing online transactions? It would be incredibly important to do review their procedures on their end to ensure they aren’t bypassing their own security, but this should all be part of the annual review process for business customers.

It’s cumbersome unless the banks are already doing annual risk reviews of their clients, which they should be, according to regulations. This should just be a part of that risk review.

This is what i see in every office/financial institution I’ve consulted for and worked for. Major accounting and high level data access all diluted to one simple login and a common dictionary password like “password1”. The argument they give is that it takes too long to get work done if they do anything complex and if that person were to quit, be fired, or die then nobody would have access. What I’ve observed is it is dummied down to accommodate the owners and their accountants because they are lazy, don’t like having to think hard about a password, and think that they are above the rules because they are not the entry level employees. I have no sympathy for any business entity that gets compromised because I know that it’s the fault of the user/company and nothing to do with the security policies that were attempted to be enacted by the inhouse IT or their banks.

Years ago I heard of a case where the judge ruled that a person “had the right to be stupid.” ” The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.” allowed the user the right to be stupid.

This matter is not really about clever attorneys or the contract between the 2 parties or even about the Internet. Transactions require compliance with processes for safety and security. 2-Factor is better than one and as the bank provided this facility, it would have been better to have used it. The question, is why didn’t they adopt 2FA?

Don’t confuse this Security with 2FA, its not. 2FA (or Two Factor Authentication) relies on a separate channel for additional authentication. For instance, requiring a code sent to you via text message, or an email sent to your account that requires you to click a link or input a code, this is 2 Factor authentication. This solution is like requiring an additional password to sign into an email account, or requiring two pin codes on debit card transactions. It’s important to know the difference because uninformed consumers see buzzwords like this and assume they are secure.

Banks don’t always get away scott-free, but this ruling was sound. The plaintiff failed to avail itself of tighter security and is thus responsible for its own losses and attorney fees are normally awarded to the winner in most cases. The lesson here is for consumers to take advantage of all greater security measures when available. When they are not available, then the provider eats the loss.

I recall a case in particular when the banks took a big hit. Banks at one time issued check guarantee cards to customers … that is until the Comptroller General of the U.S. ruled that check guarantee cards were open-ended loans. After a couple of slick operators hit banks for a few million, check guarantee cards disappeared.

Why has no one mentioned the fact that banks are required to use 2-factor authentication, and having two password based authentication steps is NOT 2-factor. I agree with the plaintiff in this one, they should have been reimbursed. Banks everywhere today have the illusion of dual factor, but it is not true 2-factor. More consumers should bring cases to their banks like this.

In 2010, they would have had logins and Multi-Factor Questions. While these are not considered effective 2-factor these days, at the time this was still going out of fashion. The supplement to FFIEC guidelines was not released until 2011, which clarified this issue in more certain terms. Until those guidelines were released, courts were open to looser interpretation of “commercially reasonable” security. This same case would not fly today, except for the fact that the customer was shown not to have done everything in their power to protect their account. Any business operator who opts out of a security feature in their Online Banking which would marginally increase their protection should accept at least partial liability for doing so.

BS. My bank requires me to choose a security image and phrase it will display on every login so that I “know” its the legitimate bank page I am logging into. Then I have a password to log in and can do everything I want to without requiring any more authentication. how is this secure in any way? I know some people are very dumb in regards to TANs but for me it’s perfect, because I can keep it to myself. Unless someone breaks in of course and steals the List. Physically. Thats less likely actually than catching an Android backdoor app to capture an SMS TAN.I asked my bank for TAN security. They declined.

@J – I too am interested in this 2FA aspect. However I don’t think it really came into play. It was sufficient in the jury’s eyes to say that the customer did not use the strongest method available to them (dual userids/passwords).

If the customer had used the strongest method, then it would have been very interesting because the jury would then truly have had to make a call on dual passwords (what I would call 1.1FA) versus “real” two-factor auth (2FA).

Your assuming an organization that couldn’t be bothered to even enable a secondary password would have jumped through hoops to setup 2FA? The fact of the matter is the business didn’t even take the miniscule protection the bank already did offer to protect themselves. If they had, and were still compromised either from employee negligence or botnets, then I 100% agree the company could sue under the basis of inadequate security offered. In this situation though, even the basic protection the bank offered was declined. I don’t have much sympathy for business’s that don’t even take a minute amount of caution to protect themselves, especially when it requires no monetary investment or effort on their part. Imagine if you did business with this company and as a result of their negligence to properly secure their own account, your account your information was compromised too. Consumers would scream bloody murder because the business failed to take even an iota of caution to protect themselves.

The escrow company signed a document saying they understood the risk. The bank offered poor controls. The legal decision while against the little guy seems sound.
The takeaway for SMB’s should be
1) understand the risk and ramification of online banking and talk to someone in infosec or at least do some homework
2)think about who you bank with and how secure your connection with your bank and the system you use to do banking is
3)read this post – http://krebsonsecurity.com/online-banking-best-practices-for-businesses/ it is solid in how not to get the end point owned

“2)think about who you bank with and how secure your connection with your bank and the system you use to do banking is” Right on! In my business I have moved money from a big bank that had what I thought was weak authentication to a local bank that had much better authentication. I voted “with my feet”.

I am one of those people who believes that all large banks should be intervened by the FDIC and split into casinos and commercial banks. That said, this decision is correct.

IA Eng previously said that work emails should have their links removed to prevent phishing. Niclo Iste said in this article that companies stupidly use trivial passwords. I have said repeatedly that employees should be trained to always verify a link by hovering the cursor over it before clicking. Other people have made good comments.

Every time this subject arises, opinions are offered that one cannot blame employees for not understanding the dangers of phishing. If so, then we must idiot-proof our systems.

By the way, Paige Payne, Jim Payne, and Karen Markle are the three top-dogs at Choice Escrow and Land Title, with the first two probably either married or related. Their website (choice-escrowDOTcom) does not list any IT qualifications whatsoever.

And if you want a real laugh, go to Choice’s order form (choice-escrowDOTcom/order_form). The Submit button is http, not https as it should be. These people still have not learned from their mistakes.

“The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”

On one hand Choice Escrow decided not to use this security feature and should own up to this. On the other hand they should not have had the option not to use it.

What good is two factor authentication if you can just opt out of it? Also, as mentioned, having two separate user/pass combinations is not two factor authentication to begin with.

Eric wrote “What good is two factor authentication if you can just opt out of it?”

What none of us know is the reasoning behind that. When banks mandate 2FA, do customers vote with their feet and find another bank which allows them to not use it? If the Treasury Department mandated that all banks employ 2FA, would there be a political circus caused by libertarians demanding less regulation? Does the Treasury Department even understand the issue?

The second pair of authenticators may not have been acquired the same way. The article says:
“which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.”

Nowhere does it say (or not) that the same person both approves AND releases the wire transfer. If it was, in fact, separation of duties (a great check and balance) if Zeus was infecting one PC, the other set of credentials presumably sent from another PC would be safe.
If it is the same person, you’re right. We just don’t know.

Nowhere did I say in my response that the same person would use the same accounts.

If one person’s system was compromised at an institution, more than likely the other person’s system will be compromised the exact same way. In my experience these kinds of security breaches are endemic to organizations, where numerous individuals within an organization simply weren’t trained (or, sometimes, ignored training) on what to do when a suspicious email arrived, a pop-up asked them to perform an action, etc.

Other times an organization has no update mechanisms in place, so ancient software was used to access the internet and, lo and behold, systems were infected using vulnerabilities that should have already been patched.

You also have to remember that many of these bots have a LAN infection mechanism, meaning that once one system on the LAN gets infected, it immediately starts trying to infect all accessible peers on the LAN using any method available to it.

As you can guess I’m not particularly on the escrow company’s side here. I just don’t see how one failure prone security method is better than another equally failure prone security method. In my opinion both the bank and the client should have split the burden since they were both at fault. The bank failed to provide adequate security and the client failed to adequately secure its systems.

This is correct. When I was in the FI world, we were constantly discovering customer bypassing our dual control requirements by sharing authentication information.

I would, therefore, log in as both myself and my wife, who is the other signer, to send the wire. Both activities were therefore done by the same computer, resulting in the compromise of both creds at the same time.

There are several banks that offer online training to business customers in order for them to learn about and take cyber threats very seriously.

If a business decides to accept a less secure form of validation the onus is squarely on them and not the bank. ALL businesses should take cyber threats seriously and thoroughly train all employees about these threats continually. Not only does it benefit them on the job, it benefits them away from work. A little education goes a long way. Ignorance is not bliss when working online.

One poster commented about “Those greedy attorneys need I say anymore, they have one hand in your pocket and can care less about making the internet more safe for all.” Sorry my friend, it is NOT up to “greedy attorneys” to do this. It is the responsibility of ALL computer users to educate themselves about cybersecurity. Greedy attorneys do NOT keep the internet safe…each of us do by wising up and not falling victim.

An interesting hypothetical would have been if the customer had accepted dual control, both were compromised (not far fetched if Zeus was circulating in the office), would the original ruling have been the same?

We always recommend that if a company performs wire transfers as part of its business, it should do so from a dedicated, separately firewalled (or DMZ’d) machine that is never used for anything other than banking, preferably restricted to whitelisted sites, etc. It’s an excellent cost tradeoff considering the risks involved.

In general, it is well known that a HUGE amount of malware on PC’s comes from non-work related activities on those PC’s. And a second source is phising emails.

Now surfing at work is kind of a mandatory work-perk, so effectively individual worker PC’s cannot be expected to ‘safe’, hence these kind of critical activities simply should indeed be on separate PC’s.

Even more so, considering many company software demands running on older OS/browser versions of IE. People often then just sign and continue to surf and blame the old sofftware for leaks. In reality it is bad risk assesment.

If yuo cannot keep thinsg separate, there should be a 100% ‘no exception no private stuff on work PC’ policy. And this policy should then be actively enforced. But since that will cause likely revolt among employees, the separate PC is a better solution.

Why not put one/the other/both of the “business critical” and “general workaday activities” functions in a sandbox on standardized hardware? This cuts down on the spread of malware and negates the need for a dedicated machine for business-critical ops.

The resistance I most often receive to this recommendation is that the software to generate the transaction information (most commonly for ACH) must be able to be transferred from the non-dedicated PC to the dedicated PC, reducing the gains.

If you use the Network, you’re not truly isolated. If you use a USB stick to move the NACHA file, well, we all know that USB sticks are like dirty needles.

So, for the customer who wants a dedicated machine, but doesn’t want the cost or the trouble of moving the file, suggest a Linux Live CD. If their files are infected, this will protect them a bit more, and the cost is extremely low (read: free).

Bank customers should just STOP using online banking, walk into the bank, form long lines, make the bank hire more tellers and make the bank inefficient. THAT is what they deserve for their poorly planned security.
BTW, didn’t the FFIEC strongly recommend MULTI-FACTOR authentication in its 2011 supplement? and 2 signatures is NOT multi-factor…